RTF malware analysis — malicious · 6941ffb36d48cbd6

MALICIOUS

RTF

53.3 KB First seen: 2019-01-12

MD5: d7caecbad97fa550443de5830cc0a3b5 SHA-1: 48e073df7e471378a9ea2c91fe99f127f5eaf981 SHA-256: 6941ffb36d48cbd6f58da9ba8b02388b79573382a0a6f41385276856ae30a7dc

180 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains embedded OLE object data and triggers an \objupdate, indicating an attempt to activate embedded content. Critical heuristics confirm the exploitation of CVE-2017-11882, a known vulnerability in Microsoft Equation Editor, which allows for arbitrary code execution. This suggests the file is a malicious document delivered as an attachment, likely intended to exploit this vulnerability upon opening.

Heuristics 4

CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882

Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Exploit.CVE_2017_11882-6934206-0
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00000c81.bin`	rtf-objdata-decoded	RTF \objdata at offset 0xC81	5467 bytes
SHA-256: `1c453ea9a9df5ad3bf44222bbd848c1aa30b031174ca23315d345d3cd95efd02`

Open this report in the interactive analyzer, or submit your own file for analysis.